8.8

CVE-2015-8379

Exploit
CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the _method parameter.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CakephpCakephp Version2.0.0
CakephpCakephp Version2.0.0 Updatealpha
CakephpCakephp Version2.0.0 Updatebeta
CakephpCakephp Version2.0.0 Updatedev
CakephpCakephp Version2.0.0 Updaterc1
CakephpCakephp Version2.0.0 Updaterc2
CakephpCakephp Version2.0.0 Updaterc3
CakephpCakephp Version2.0.1
CakephpCakephp Version2.0.2
CakephpCakephp Version2.0.3
CakephpCakephp Version2.0.4
CakephpCakephp Version2.0.5
CakephpCakephp Version2.0.6
CakephpCakephp Version2.1.0
CakephpCakephp Version2.1.0 Updatealpha
CakephpCakephp Version2.1.0 Updatebeta
CakephpCakephp Version2.1.0 Updaterc1
CakephpCakephp Version2.1.1
CakephpCakephp Version2.1.2
CakephpCakephp Version2.1.3
CakephpCakephp Version2.1.4
CakephpCakephp Version2.1.5
CakephpCakephp Version2.2.0
CakephpCakephp Version2.2.0 Updatebeta
CakephpCakephp Version2.2.0 Updaterc1
CakephpCakephp Version2.2.0 Updaterc2
CakephpCakephp Version2.2.1
CakephpCakephp Version2.2.2
CakephpCakephp Version2.2.3
CakephpCakephp Version2.2.4
CakephpCakephp Version2.2.5
CakephpCakephp Version2.2.6
CakephpCakephp Version2.2.7
CakephpCakephp Version2.2.8
CakephpCakephp Version2.2.9
CakephpCakephp Version2.3.0
CakephpCakephp Version2.3.0 Updatebeta
CakephpCakephp Version2.3.0 Updaterc1
CakephpCakephp Version2.3.0 Updaterc2
CakephpCakephp Version2.3.1
CakephpCakephp Version2.3.2
CakephpCakephp Version2.3.3
CakephpCakephp Version2.3.4
CakephpCakephp Version2.3.5
CakephpCakephp Version2.3.6
CakephpCakephp Version2.3.7
CakephpCakephp Version2.3.8
CakephpCakephp Version2.3.9
CakephpCakephp Version2.3.10
CakephpCakephp Version2.4.0
CakephpCakephp Version2.4.0 Updatebeta
CakephpCakephp Version2.4.0 Updaterc1
CakephpCakephp Version2.4.0 Updaterc2
CakephpCakephp Version2.4.1
CakephpCakephp Version2.4.2
CakephpCakephp Version2.4.3
CakephpCakephp Version2.4.4
CakephpCakephp Version2.4.5
CakephpCakephp Version2.4.6
CakephpCakephp Version2.4.7
CakephpCakephp Version2.4.8
CakephpCakephp Version2.4.9
CakephpCakephp Version2.4.10
CakephpCakephp Version2.5.0
CakephpCakephp Version2.5.0 Updatebeta
CakephpCakephp Version2.5.0 Updaterc1
CakephpCakephp Version2.5.0 Updaterc2
CakephpCakephp Version2.5.1
CakephpCakephp Version2.5.2
CakephpCakephp Version2.5.3
CakephpCakephp Version2.5.4
CakephpCakephp Version2.5.5
CakephpCakephp Version2.5.6
CakephpCakephp Version2.5.7
CakephpCakephp Version2.5.8
CakephpCakephp Version2.5.9
CakephpCakephp Version2.6.0
CakephpCakephp Version2.6.0 Updatebeta
CakephpCakephp Version2.6.0 Updaterc1
CakephpCakephp Version2.6.1
CakephpCakephp Version2.6.2
CakephpCakephp Version2.6.3
CakephpCakephp Version2.6.4
CakephpCakephp Version2.6.5
CakephpCakephp Version2.6.6
CakephpCakephp Version2.6.7
CakephpCakephp Version2.6.8
CakephpCakephp Version2.6.9
CakephpCakephp Version2.6.10
CakephpCakephp Version2.6.11
CakephpCakephp Version2.6.12
CakephpCakephp Version2.7.0
CakephpCakephp Version2.7.0 Updaterc1
CakephpCakephp Version2.7.1
CakephpCakephp Version2.7.2
CakephpCakephp Version2.7.3
CakephpCakephp Version2.7.4
CakephpCakephp Version2.7.5
CakephpCakephp Version2.7.6
CakephpCakephp Version2.7.7
CakephpCakephp Version2.7.8
CakephpCakephp Version2.7.9
CakephpCakephp Version2.8.0 Updaterc1
CakephpCakephp Version3.0.0
CakephpCakephp Version3.0.0 Updatealpha1
CakephpCakephp Version3.0.0 Updatealpha2
CakephpCakephp Version3.0.0 Updatebeta1
CakephpCakephp Version3.0.0 Updatebeta2
CakephpCakephp Version3.0.0 Updatebeta3
CakephpCakephp Version3.0.0 Updatedev1
CakephpCakephp Version3.0.0 Updatedev2
CakephpCakephp Version3.0.0 Updatedev3
CakephpCakephp Version3.0.0 Updaterc1
CakephpCakephp Version3.0.0 Updaterc2
CakephpCakephp Version3.0.1
CakephpCakephp Version3.0.2
CakephpCakephp Version3.0.3
CakephpCakephp Version3.0.4
CakephpCakephp Version3.0.5
CakephpCakephp Version3.0.6
CakephpCakephp Version3.0.7
CakephpCakephp Version3.0.8
CakephpCakephp Version3.0.9
CakephpCakephp Version3.0.10
CakephpCakephp Version3.0.11
CakephpCakephp Version3.0.12
CakephpCakephp Version3.0.13
CakephpCakephp Version3.0.14
CakephpCakephp Version3.0.15
CakephpCakephp Version3.1.0
CakephpCakephp Version3.1.0 Updatebeta1
CakephpCakephp Version3.1.0 Updatebeta2
CakephpCakephp Version3.1.0 Updaterc1
CakephpCakephp Version3.1.1
CakephpCakephp Version3.1.2
CakephpCakephp Version3.1.3
CakephpCakephp Version3.1.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.4% 0.69
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://bakery.cakephp.org/2015/11/29/cakephp_315_released.html
Vendor Advisory
http://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
Exploit
http://karmainsecurity.com/KIS-2016-01
Exploit
http://packetstormsecurity.com/files/135301/CakePHP-3.2.0-CSRF-Bypass.html
Exploit
http://seclists.org/fulldisclosure/2016/Jan/42
Exploit
http://www.securityfocus.com/archive/1/537317/100/0/threaded
https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
Patch